Most data breaches in the public and private sector can be attributed directly or indirectly to human error. Cyberattacks are often a result of attackers exploiting system vulnerabilities that arises due to lax data security practices or poor digital and cybersecurity hygiene. Data breaches exposed records of over 4 billion people in just the first six months of 2019. Post 2014, we have seen a massive increase in these breaches particularly in the Tech and Government sector. In the light of unprecedented increase in data breaches, this article uses data on world’s largest data breaches from 2004 and 2018 to focus attention on the role of human error in these breaches particularly in the government sector. Furthermore, the finding from the data are used to make a case for creating a robust security culture and calls for both preemptive and responsive approach to cybersecurity in the public sector.
Of all the records stolen from 2004 to 2018, about 70 percent of it were stolen from the Tech sector, 20 percent from Government and around 7 percent from the Financial sector. Together, the three sectors accounted for around 97 percent of records stolen over the corresponding year. According to a report by Forrester, these sectors are often targeted by hackers not only because they hold enormous amounts of personal identifying information (PII) but also because they are less deligent in their consumer data protection practices.
A look at the leak type - human error and malicious intent - of the breaches across different data categories suggest that roughly half of all data types were breached due to human error.* What’s more interesting, is leak types across sectors which shows that about 93 percent of data breaches within the government sector resulted from human error.
Aadhar is a 12-digit identity number assigned to every Indian citizen which forms the largest biometric database of the country. In 2017 and 2018, Aadhar information of billions of Indians was (allegedly) “accidently” exposed online for days. An Indian newspaper later exposed an illicit data trade where Aadhar information was being sold for less than US$8 on the underground market.
In the United States, database of 191 million voters across all 50 states was exposed online due to human error and oversight in 2015. In the same year, USA’s Office of Personnel Management (OPM) suffered two major data breaches endangering national security and the lives of many federal employees in intelligence and other sensitive jobs. OPM’s assistant inspector general of audits stated that the breaches were a result of agency’s “long history of systemic failures to properly manage its IT infrastructure”.
These inadvertent instances highlight the role of human error and systematic failure on part of the government to manage citizen data. One may argue that the dichotomy of human error and malicious intent is misleading and there will always be some level of human error involved - to err is human. While, it may be incorrect to perceive human error as the cause of the problem, it is certainly a symptom of a larger systematic and institutional failure within the public sector. Earlier this year, Dr. Tracy Celaya Brown (President, Go Consulting International) and Ira Winkler (Lead Security Principal, Trustwave), delivered an intriguing talk at the RSA Conference titled You Can Stop Stupid . They talked at length about how a weak security infrastructure places the user in the position to initiate loss, and that robust system and processes are required to mitigate these losses.
Unlike private sector that has been investing billions of dollars in cybersecurity, governments particularly in developing countries, are not only resource constrained financially but also lack access to human capital. The question arises – “What can governments do to ensure that public data is not compromised?”
Governments must build a comprehensive cybersecurity governance framework to ensure security practices are viewed as a continuous process requiring both preemptive (proactive) as well as responsive (reactive) measures. Preemptive responses must include, but not limited to, creating awareness and training public personnel dealing with sensitive citizen data. There is a need to bring about a change in attitude of government officials towards cybersecurity and cultivate a culture of cybersecurity across government departments. Training and awareness programs for employees are low hanging fruits that the governments need to focus on. While awareness and cybersecurity trainings to public officials are likely to reduce the magnitude of human error involved in security lapses, it only cures (to some extent) a symptom of the larger problem at hand. There is a need to put robust system, processes and protocols in place to limit the possibility of major security violations initiated as a result of human failings. Governments must clearly outline resilience plans to be adopted in face of a security threat. Empowering government employees involves providing them the tools and channels to report incidents and move quickly to alert the security authorities of a potential breach. As the intensity and sophistication of attacks increases, responsiveness and timely action to stop or to mitigate the losses would be the key to maintaining data integrity.
Cybersecurity measures must be monitored continuously and at all levels. It is essential to adopt a top-down strategy as it would require commitment to data security measures at all levels of government. As the world moves towards a digital economy, and governments in developed and developing world alike digitize public records and services, there is an urgent need to bring cybersecurity governance to the forefront.
Note: Data used is from the dataset on world’s biggest data breaches and hacks sourced from Information is Beautiful.